Category: Security

Almost two years ago, Royce Davis (@r3dy__) published an article about leveraging a Jenkins application, which contained no password, to successfully compromise a system on an organization’s internal network environment. This was accomplished by using a functionality within the application to execute operating system commands. You can find more information about this post here: https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/. To… Read more »

It is that time of the year again, when we force ourselves to stop for a moment and reflect on the events and technologies that we have encountered over the past year then adjust our service offerings to better meet the needs of our clients and the information security industry as a whole. In our… Read more »

Definitively Identifying Java Deserialization Vulnerabilities [Part 1 of this blog series can be found here: Deserialization Passive Detection] To help our customers and readers definitively identify Java Deserialization vulnerabilities, we have created an additional Burp Suite Extender called “SuperSerial-Active” to complement our previous release of “SuperSerial-Passive” (https://github.com/DirectDefense/SuperSerial). Unlike the previous extender, which only passively identifies potential instances… Read more »

Locating your Java Deserializaiton Issues [UPDATE: Part 2 of this blog series can be found here: Deserialization Active Identification] The weekend started off with a bang for some when Foxglove Security posted a blog pertaining to Java Deserialization issues. For application security folks, we just have to shake our heads once more. It comes as no surprise that… Read more »

As we wind down yet another year here at DirectDefense, we’d like to take a moment to reflect on the big stories and security themes of this year and provide some recommendations for the coming new year. If we can say one thing about the state of security this past year, it is that many organizations… Read more »

Boy what a year 2014 is turning out to be. First we had Heartbleed turn the Internet upside-down. Last month, we had Shellshock shock the industry. And now we have POODLE. POODLE, unlike Heartbleed and Shellshock, is going after clients and not servers this time. More specifically, POODLE is taking advantage of the fifteen year… Read more »

In our previous segment (Bridging Your Gaps – Part 1), we covered network segmentation and egress filtering.  Now let’s focus on some of the gaps that can directly lead to access to your sensitive data. Social Engineering and Browser Security The attackers in the Lockheed Martin breach of 2011, leveraged social engineering along with stolen… Read more »

As part of our “Bridging Your Gaps” presentation series, we cover some of the more common gaps that we see and exploit while performing penetration testing for our clients. These gaps have also been leveraged in many of the high profile breaches that occurred during 2013-2014, so this helps to highlight the importance of addressing… Read more »

We (the Internet) are about 48 hours into the active response of the OpenSSL HeartBleed vulnerability (CVE-2014-0160). While there has been a lot of news on the topic and a few limited discussions on dealing with the threat, only a handful of articles are approaching the discussion on how to prioritize the threat posed by… Read more »

We are almost to the end of another year, and it has been a busy one for us here at DirectDefense.  In addition to performing our normal engagements, such as performing network and application penetration tests, we have also enjoyed a lot of positive feedback from our presentation series – Catch me if you Can. During… Read more »